Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Active Directory Parent/Child Domain Issue

DarkOneX

Posted 30 June 2008 - 06:29 AM

DarkOneX

New Member

Member

2 posts

I have posted on experts exchange and had a guy help me get DNS all straightened out but I don't think that was the cause nor did it fix this annoying issue that I just noticed last week. This is something that has worked forever until sometime last week. The only things I have done with the domain controllers was installed Windows Updates and reboot them and I can't help but think one of the updates changed something to cause this. I also am currently logging no type of errors on either domain controller, I was until I got some DNS stuff straightened out but now EventViewer is clean on both controllers but this problem exists still. Anyway here is my issue.

I have my parent domain lets call it parentdomain.com
I have my child domain lets call it childdomain.com
I am running Windows 2000 Server with latest SP and all updates on the primary DC in parentdomain.com, and Win2k3 Server with SP2 and all updates on the primary DC in childdomain.com
I need to assign a user in childdomain.com to a security group in parentdomain.com called FINANCE_FOLDER. Used to be I could just pull up Active Directory Users and Computers in the DC in the child domain and go to the properties of the user, click on Member Of, and Add, then click Locations and it would display my entire tree like this for example.

So I could just click on Parentdomain.com and do a search for FINANCE_FOLDER and it found it and I could add it. Now the tree looks like this when doing this from the child domain:

Childdomain.com
Accounting
Construction
Finance
Marketing
Payroll

So now I no longer can do that because now that tree under locate only allows me to search in the childdomain.com, so I can't search or add security groups that exist on the parent domain anymore to people on the child domain. Also it doesn't list users security groups that they have assigned from the parent domain like it used to. So say I have a user Joe Blow on the child domain whom I know has always been assigned to a group parentdomain.com\FINANCE_FOLDER that exists on the parent domain, it no longer shows he's assigned to it in the Member Of tab. Oddly enough though, if I open up AD Users and Computers on the DC controller in parentdomain.com, even though it also no longer shows childdomain.com in the tree like it used to either, if I do a search for a users, it lets me select childdomain.com and actually find and display a user on the child domain, and it shows his security groups from both domains there. However it won't find security groups from the childdomain.com like it used to either so I can't assign him to new groups from there like I should and used to be able to.

I hope this makes sense, I know it's long winded but I really need this fixed as it's been broke like this for about a week now and I have some users that I currently need to add to groups from the other domain right now and can't until this is fixed. Hopefully somebody has experienced this and can help me fix or point me in the right direction

Thanks in advance.

0

Advertisements

dsenette

Posted 30 June 2008 - 06:59 AM

dsenette

Je suis Napoléon!

Administrator

26,019 posts

i'm going to attempt to do more research (can't promise anything) but i'd point my finger at the fact that the forest DC is on a 2000 machine in conjunction with the 2k3 updates that you ran....was one of them a service pack by chance? MS MAY have stuck something in there to "force" some upgrades (it's been done in the past)

i'm sure you've heard it enough but i'll say it again....having a 2k server as the parent DC is less than optimal.

i would assume (since everything has been working) that all of your DCs are in mixed mode? not native? (only really applies to 2k3)

DarkOneX

Posted 30 June 2008 - 12:48 PM

DarkOneX

New Member

Topic Starter

Member

2 posts

Yes I installed a Windows 2000 server SP on the primary DC, the Win2k one, and then SP2 on the 2003 boxes in the child domain. Needed to because well they hadn't been done and we are working towards level 1 PCI compliance and I had to update them all for that. Yes they are all in mixed mode. So you think it was just coincidental it was showing everything before and MS put out a fix that technically fixed something but made it stop working? That primary DC is Win2k probably just because well it does alot of stuff and would be a humongous undertaking to update it to Win2k3 and that's not something I really feel comfortable doing anytime soon in my new position so hopefully this can be fixed without that. Thanks for your reply and let me know if you find anything and I will keep searching fruitlessly as well.